Help.... Please.... Users from AD groups are not populating in the site people picker. I've set up a SharePoint 2013 site collection permissions group with only AD groups in it, no users added directly. Whether or not I give this SharePoint group permissions to the site content, I still get none of the AD users showing up in the people picker. I have done the iisreset after adding the groups.

I've checked all of the people picker properties in stsadm to be sure there are no constraints in effect on the web app or site collections.
User profiles are synching and I've tried both AD import and User Profile Sync.
The AD groups are security groups, though not email-enabled.
The AD service account has all the special permissions.
My web app is claims based.
My app pool runs with Network Service account.
No policies in place to restrict users, checked CA and the site collection settings.

What am I missing?
I've read in multiple places that this is a supported/working config.
So why can't I get these users to populate in people picker for things like Assigned To in a tasks list, or attendees of an event?